Vulnerability Disclosure Policy

OCS Vulnerability Disclosure Policy

We take security, trust, and transparency seriously. OCS appreciates the work of security researchers and has developed a program to make it easier to report vulnerabilities to OCS and to recognize you for your effort to make the Internet a better place. This policy provides our guidelines for reporting vulnerabilities to OCS.

If you believe you have found a security vulnerability that could impact OCS or our users, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. We ask that you follow OCS’s Vulnerability Disclosure Policy and HackerOne’s Disclosure Guidelines and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.

SCOPE

Any web properties owned by ordercloudserver.com are in scope for the program.

Customers of ordercloudserver.com, or non ordercloudserver.com sites in-front or behind our infrastructure are out of scope.

Submissions that are specifically detailing a "best practice" are out of scope unless they are exploitable in mass.

EXAMPLE: Missing SPF records or other email misconfiguration is not a reportable issue unless you can demonstrate that this missing record or misconfiguration allows you to successfully do something with significant impact.

ELIGIBILITY and DISCLOSURE

You must be the first person to responsibly disclose an unknown issue.

All legitimate reports will be reviewed and assessed by OCS Hosting Service security team to determine if it is eligible.

As mentioned in our Privacy and Security Policy, OCS Hosting Service website and services are not intended for, or designed to attract, individuals under the age of 18.
Due to the Children's Online Privacy Protection Act (COPPA), we cannot accept submissions from children under the age of 13. Reporters under the legal age of of the country where they reside will not be eligible to receive OCS Hosting service rewards unless a verifiable letter from a legal custodian is submitted.
We will find another way to recognize your effort.

REWARDS

For each eligible vulnerability report, the reporter will receive:

Recognition on our Hall of Fame.

A limited edition OCS bug hunter t-shirt. OCS employees don't even have this shirt. It's only for you all. Wear it with pride: you're part of an exclusive group.

3 months of OCS Hosting FLEX hosting package is on us.

Monetary compensation is not currently offered under this program.

EXCLUSIONS

The following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.